Application execution device, application execution method, integrated circuit, and computer-readable program

ABSTRACT

An application is activated with access permission to resources which are granted to unsigned applications. In parallel with the execution of the application, tamper check is performed on the application using a tamper check thread. When access to a resource which is not granted to unsigned applications is requested during the execution of the application before the completion of the tamper check, the application is put in a wait state until the completion of the tamper check. After the application is judged as having been untampered with as a result of the tamper check, the application is further granted access permission to resources that are specified by a permission information file included in the application. If this further-granted access permission includes the access right to the resource, the execution of the application is continued.

TECHNICAL FIELD

The present invention relates to an application execution device whichacquires and executes application programs, and in particular relates totechniques of executing application programs acquired via digitaltelevision broadcasting.

BACKGROUND ART

In recent years, studies have been conducted on a variety of digitaltelevision broadcasting standards. One example of such standards is MHP(Multimedia Home Platform) which is employed in many countries.According to MHP, a broadcast device multiplexes an application program(hereafter simply referred to as an “application”) in a broadcast waveand transmits it using an object carousel, and a digital televisionreception device receives and executes the application.

By executing such an application, the digital television receptiondevice can achieve various functions which are unavailable toconventional television reception devices. As one example, aninteractive television system can be realized whereby the digitaltelevision reception device transmits information which is collected byan application in conjunction with a broadcast program received from abroadcast wave, to a broadcast station via a network such as theInternet.

However, if unrestricted access to resources, such as use of a filesystem in the digital television reception device and connection to thenetwork, is granted to the application, the user may suffer damage or acontrol system in the digital television reception device may beadversely affected in a case when the application contains maliciouscode. For instance, executing an application containing malicious codemay cause a channel switch to occur during viewing, or informationstored in the digital television reception device to be leaked out ordestroyed. To avoid this, Section 12 “Security” of the MHP specificationdefines how to execute applications securely.

According to this section, there are two types of applications: anunsigned application which need not be authenticated; and a signedapplication which need be authenticated.

The unsigned application is executed without being authenticated, but,in order to protect the system, prohibited from such access to resourcesthat may adversely affect the system.

The signed application is permitted to access more resources than theunsigned application. Before activation, however, authentication isperformed on the signed application by identifying a transmitter of theapplication using an X.509 certificate and checking whether theapplication has been tampered with based on hash values. Only when theauthentication is successful, the signed application is activated. Thus,the system is protected by executing only signed applications that areauthenticated as valid applications sent from trusted transmitters.

This technique, however, has the following problem. Though the signedapplication delivers higher functions than the unsigned application, thesigned application cannot be activated promptly as it needs to beauthenticated first. This arises the demand for a technique ofactivating high-function applications more speedily.

DISCLOSURE OF THE INVENTION

The present invention aims to provide an application execution device,an application execution method, an integrated circuit for anapplication execution device, and a computer-readable program that canspeed up activation of high-function applications while maintainingsecurity.

The stated aim can be achieved by an application execution deviceincluding: an acquisition unit operable to acquire an applicationprogram which includes instructions to access resources; a judgment unitoperable to judge whether the acquired application program has beentampered with; a tentative permission setting unit operable to obtaintentative permission information showing permission to access only afirst resource; a definite permission setting unit operable to obtaindefinite permission information showing permission to access the firstresource and a second resource; and an execution unit operable to startexecuting the application program within a range of the permission shownby the tentative permission information, before the judgment unitcompletes the judgment, and after the judgment unit completes thejudgment, continue executing the application program within a range ofthe permission shown by the definite permission information if theapplication program is judged as having been untampered with.

According to the above construction, the application execution devicecan activate the application program without a wait time for the tampercheck to be completed. If the application program is judged as havingbeen untampered with as a result of the tamper check, the applicationprogram is granted access to not only the first resource but also thesecond resource. This makes it possible to realize high-functionapplication programs that require access to the second resource.

Therefore, high-function application programs can be activated promptlywhile maintaining high security.

Here, the execution unit may assume a file size of the applicationprogram to be zero, if the application program is judged as having beentampered with.

According to the above construction, the file size of the applicationprogram is assumed to be zero if the application program is judged ashaving been tampered with. This prevents the application program frombeing further executed.

In this way, high security can be maintained even when the applicationprogram has been tampered with to contain such an instruction to accessthe second resource that may adversely affect the device.

Here, the execution unit may start executing the application programbefore the acquisition unit completes the acquisition of the applicationprogram.

According to the above construction, the application execution devicecan activate the application program without a wait time for theacquisition of the application program to be completed.

This enables the application program to be activated more promptly.

Here, the acquisition unit may acquire the application program byreceiving a digital stream which carries the application program.

According to the above construction, the application execution devicecan activate the application program without waiting for the acquisitionof the application program to be completed, when it takes a long time toacquire the application program due to a low transmission rate of thedigital stream.

Therefore, the application program can be activated promptly regardlessof the transmission rate of the digital stream which carries theapplication program.

Here, the digital stream may be a transport stream of digital televisionbroadcasting, wherein the application program is multiplexed in thetransport stream using an object carousel.

A time period required for a digital television reception device toacquire an application program of, for example, 100,000 steps which istransmitted in a transport stream using an object carousel is about 20seconds which correspond to one cycle of the object carousel. This meansat least 20 seconds are necessary before completion of tamper check thatneeds to be performed on the whole application program. The applicationexecution device having the above construction can activate theapplication program, without such a wait time for the acquisition of theapplication program to be completed.

Therefore, the activation of the application program can be speeded upby the time period from when part of the application program needed forthe activation is acquired to when the whole application program isacquired.

Here, the first resource may be a resource which an unsigned applicationis permitted to access in MHP.

According to the above construction, the application program is grantedaccess to the first resource which conventional unsigned applicationprograms are permitted to access in MHP, before the completion of thetamper check. Meanwhile, the application program is prohibited to accessthe second resource which the conventional unsigned application programsare prohibited to access in MHP due to the risk of adversely affectingthe device, until the completion of the tamper check.

Therefore, the same level of security as that of conventional unsignedapplication programs can be maintained until the completion of thetamper check.

Here, the application execution device may further include: atransmitter identification unit operable to identify a transmitter ofthe application program based on transmitter information for identifyingthe transmitter, wherein the object carousel contains the transmitterinformation in addition to the application program, the acquisition unitfurther acquires the transmitter information, and the execution unitstarts executing the application program after the transmitteridentification unit completes the identification of the transmitter.

According to the above construction, the application execution devicedoes not activate the application program until the transmitter isidentified. This prevents execution of an application program sent froman untrusted transmitter, with it being possible to enhance security.

Here, the acquisition unit may further acquire an application identifiershowing a type of the application program, wherein the execution unitstarts executing the application program before the judgment unitcompletes the judgment, if the type shown by the acquired applicationidentifier matches a predetermined type.

According to the above construction, the application execution deviceactivates the application program before the completion of the tampercheck, depending on the type of the application program.

In this way, the new type of application program according to thepresent invention can be processed differently from a conventionalsigned application program that cannot be activated until the completionof the tamper check.

Here, when the execution unit, in a process of executing theinstructions included in the application program, reaches an instructionto access the second resource but the judgment unit has not completedthe judgment, the execution unit may wait until the judgment unitcompletes the judgment.

According to the above construction, the application program isprohibited to access the second resource until the completion of thetamper check. High security is maintained by such prohibiting access tothe second resource that may adversely affect the device. After thetamper check is completed and the application program is judged ashaving been untampered with, the application program is granted accessto the second resource. This makes it possible to realize high-functionapplication programs.

Here, the application program may include hash information showing ahash value of the application program, wherein the judgment unit judgeswhether the acquired application program has been tampered with, bycalculating a hash value of the acquired application program andcomparing the calculated hash value with the hash value shown by thehash information.

According to the above construction, the comparison of the hash valuesresults in a mismatch if at least one part of the application programhas been tampered with. Hence tampering of the application can bedetected precisely, with it being possible to achieve high security.

Here, the acquisition unit may acquire the application program throughone of a plurality of acquisition paths which have different levels ofrisk of tampering, wherein the tentative permission setting unit obtainsthe tentative permission information corresponding to the acquisitionpath of the application program, and when the acquisition path of theapplication program has a lower level of risk of tampering, thetentative permission information corresponding to the acquisition pathshows the permission to access the first resource including a resourcean access to which has a higher risk of adversely affecting theapplication execution device.

According to the above construction, when the application program isacquired from a secure acquisition path that has a lower level of riskof tampering, the application program is granted access to moreresources including a resource that has a risk of adversely affectingthe device. This enables more instructions in the application program tobe carried out, so that the tamper check has more likely been completedby the time the execution unit reaches an instruction to access thesecond resource.

This reduces the need to wait for the completion of the tamper check.Accordingly, the user can use the application program withoutdiscomfort, while maintaining high security.

Here, when the acquisition path of the application program has the lowerlevel of risk of tampering, the application program may be in encryptedform, wherein when the acquisition path of the application program has ahigher level of risk of tampering, the application program is inunencrypted form.

According to the above construction, when the application program isacquired in encrypted form, the application program is granted access tomore resources including a resource that has a risk of adverselyaffecting the device. This enables more instructions in the applicationprogram to be carried out.

As a result, the need to wait for the completion of the tamper checkdecreases. Accordingly, the user can use the application program withoutdiscomfort, while maintaining high security.

Here, the acquisition unit may acquire the application program throughone of a plurality of acquisition paths which have different timeperiods required for acquiring an application program, wherein thetentative permission setting unit obtains the tentative permissioninformation corresponding to the acquisition path of the applicationprogram, and when the acquisition path of the application program has alonger time period required, the tentative permission informationcorresponding to the acquisition path shows the permission to access thefirst resource including a resource an access to which has a higher riskof adversely affecting the application execution device.

When the application program is acquired from an acquisition path thathas a longer time period required for acquisition of an applicationprogram, it takes a longer time before the completion of the tampercheck. According to the above construction, such an application programis granted access to more resources including a resource that has a riskof adversely affecting the device, before the completion of the tampercheck. This enables more instructions in the application program to becarried out, so that the tamper check has more likely been completed bythe time the execution unit reaches an instruction to access the secondresource.

As a result, the need to wait for the completion of the tamper checkdecreases. Accordingly, the user can use the application program withoutdiscomfort, even when the acquisition of the application program takes along time.

Here, the application execution device may further include: a signedapplication execution unit operable to start executing the applicationprogram after the judgment unit completes the judgment, if theacquisition unit acquires the application program by reading theapplication program from a recording medium and the judgment unit judgesthat the application program has been untampered with, wherein theexecution unit starts executing the application program before thejudgment unit completes the judgment, if the acquisition unit acquiresthe application program by receiving a digital stream which carries theapplication program.

It takes only a short time to acquire the application program from therecording medium and therefore to perform tamper check on theapplication program. In this case, the application execution devicehaving the above construction activates the application program afterthe completion of the tamper check, in the same way as conventionalsigned application programs. As a result, the same level of security asthat of conventional signed application programs is attained.

Meanwhile, it takes a long time to acquire the application program fromthe digital stream and therefore to perform tamper check on theapplication program. In such a case, the application execution deviceactivates the application program with grant of access to only the firstresource, without waiting for the completion of the tamper check. Afterthe tamper check is completed and the application program is judged ashaving been untampered with, the application program is further grantedaccess to the second resource, as a result of which an instruction toaccess the second resource can be carried out. In so doing, theactivation of the application program is accelerated while maintainingsecurity.

The stated aim can also be achieved by an integrated circuit including:an acquisition unit operable to acquire an application program whichincludes instructions to access resources; a judgment unit operable tojudge whether the acquired application program has been tampered with; atentative permission setting unit operable to obtain tentativepermission information showing permission to access only a firstresource; a definite permission setting unit operable to obtain definitepermission information showing permission to access the first resourceand a second resource; and an execution unit operable to start executingthe application program within a range of the permission shown by thetentative permission information, before the judgment unit completes thejudgment, and after the judgment unit completes the judgment, continueexecuting the application program within a range of the permission shownby the definite permission information if the application program isjudged as having been untampered with.

According to the above construction, the integrated circuit can activatethe application program without a wait time for the tamper check to becompleted. If the application program is judged as having beenuntampered with as a result of the tamper check, the application programis granted access to not only the first resource but also the secondresource. This makes it possible to realize high-function applicationprograms that require access to the second resource.

Therefore, high-function application programs can be activated promptlywhile maintaining high security.

The stated aim can also be achieved by an application execution methodincluding: an acquisition step of acquiring an application program whichincludes instructions to access resources; a judgment step of judgingwhether the acquired application program has been tampered with; atentative permission setting step of obtaining tentative permissioninformation showing permission to access only a first resource; adefinite permission setting step of obtaining definite permissioninformation showing permission to access the first resource and a secondresource; and an execution step of starting executing the applicationprogram within a range of the permission shown by the tentativepermission information, before the judgment step completes the judgment,and after the judgment step completes the judgment, continuing executingthe application program within a range of the permission shown by thedefinite permission information if the application program is judged ashaving been untampered with.

According to the above method, the application program can be activatedwithout a wait time for the tamper check to be completed. If theapplication program is judged as having been untampered with as a resultof the tamper check, the application program is granted access to notonly the first resource but also the second resource. This makes itpossible to realize high-function application programs that requireaccess to the second resource.

Therefore, high-function application programs can be activated promptlywhile maintaining high security.

The stated aim can also be achieved by a computer-readable programcausing a computer to perform: an acquisition step of acquiring anapplication program which includes instructions to access resources; ajudgment step of judging whether the acquired application program hasbeen tampered with; a tentative permission setting step of obtainingtentative permission information showing permission to access only afirst resource; a definite permission setting step of obtaining definitepermission information showing permission to access the first resourceand a second resource; and an execution step of starting executing theapplication program within a range of the permission shown by thetentative permission information, before the judgment step completes thejudgment, and after the judgment step completes the judgment, continuingexecuting the application program within a range of the permission shownby the definite permission information if the application program isjudged as having been untampered with.

According to the above program, the application program can be activatedwithout a wait time for the tamper check to be completed. If theapplication program is judged as having been untampered with as a resultof the tamper check, the application program is granted access to notonly the first resource but also the second resource. This makes itpossible to realize high-function application programs that requireaccess to the second resource.

Therefore, high-function application programs can be activated promptlywhile maintaining high security.

BRIEF DESCRIPTION OF DRAWINGS

FIG. 1 shows a construction of an interactive television systemincluding a digital television reception device to which the firstembodiment of the present invention relates.

FIG. 2A shows a structure of transmission data.

FIG. 2B is a representation of a transport stream carrying thetransmission data shown in FIG. 2A.

FIG. 3 is a representation of a data structure of management informationshown in FIG. 2.

FIG. 4 is a representation of a directory structure of an applicationshown in FIG. 2.

FIG. 5 shows a data structure of a transmitter information file shown inFIG. 4.

FIG. 6 shows a data structure of a hash information file shown in FIG.4.

FIG. 7 shows a data structure of a tamper check hash value file shown inFIG. 4.

FIG. 8 shows an example of permission information file shown in FIG. 4.

FIG. 9 shows access permission specified for an unsigned application anda signed application according to MHP.

FIG. 10 shows a hardware construction of the digital televisionreception device shown in FIG. 1.

FIG. 11 shows a functional construction of a program stored in a ROMshown in FIG. 10.

FIG. 12 shows a functional construction for controlling execution of theapplication.

FIG. 13 is a flowchart showing a channel selection procedure in thedigital television reception device.

FIG. 14A is a flowchart showing an application activation controlprocedure in the digital television reception device.

FIG. 14B is a flowchart showing a procedure of a tamper check threadcreated in step S22 in FIG. 14A.

FIG. 15 is a flowchart showing a procedure of controlling access to aresource by the application.

FIG. 16 shows an example of an object carousel carrying additional datashown in FIG. 2.

FIG. 17 shows a hardware construction of a digital television receptiondevice to which the second embodiment of the present invention relates.

FIG. 18 shows a functional construction for controlling execution of theapplication in the digital television reception device shown in FIG. 17.

FIG. 19 is a flowchart showing a procedure of setting access permissionat the time of activation in the digital television reception deviceshown in FIG. 17.

FIG. 20 is a flowchart showing a procedure which is a modification tothe second embodiment.

BEST MODE FOR CARRYING OUT THE INVENTION First Embodiment

The following describes the first embodiment of an application executiondevice of the present invention. In the first embodiment, a digitaltelevision reception device which acquires an application from abroadcast wave and executes the application is used as an example of theapplication execution device.

FIG. 1 shows a construction of an interactive television system whichincludes the digital television reception device of the firstembodiment.

In the drawing, a broadcast device 1 is installed in a digitaltelevision broadcast station. The broadcast device 1 transmitstransmission data 10 of digital television broadcasting, and receivesinformation from a digital television reception device 2 via a networksuch as the Internet.

The digital television reception device 2 is used by a viewer of digitaltelevision broadcasting. The digital television reception device 2receives the transmission data 10 of digital television broadcastingfrom the broadcast device 1. The digital television reception device 2has a function of playing back a broadcast program included in thetransmission data 10, and a function of executing an applicationincluded in the transmission data 10. Through the execution of theapplication, the digital television reception device 2 transmits theinformation to the broadcast device 1 via the network. In this way, aninteractive service is achieved.

FIG. 2A shows a structure of the transmission data 10 that istransmitted from the broadcast device 1. As illustrated, thetransmission data 10 is roughly made up of video data 11 and audio data12 of the broadcast program, and additional data 13. The transmissiondata 10 is actually realized by an MPEG2 transport stream which isgenerated by multiplexing a stream of the video data 11, a stream of theaudio data 12, and the additional data 13 in DSM-CC sections carried byan object carousel, as shown in FIG. 2B. MPEG2 transport streams andDSM-CC are described in detail in the MPEG specifications ISO/IEC138181-1 and 138181-6 respectively, so that their explanation has beenomitted here.

The additional data 13 includes an application 14 which is a programwritten in Java (registered trademark), and management information 15for the application 14. Since the object carousel is used for theadditional data 13, the same information is cyclically transmitted. Thisbeing so, regardless of when the viewer selects a channel correspondingto the transmission data 10, the digital television reception device 2can acquire the whole additional data 13 within a predetermined timeperiod.

FIG. 3 is a representation of a data structure of the managementinformation 15.

In the drawing, the management information 15 includes an applicationidentifier 16, an execution flag 17, a retention flag 18, and retentioninformation 19.

The application identifier 16 takes one of the values 0x0000 to 0xFFFF,and uniquely identifies the application 14. When the applicationidentifier 16 is in a range of 0x0000 to 0x3FFF, the application 14 isan unsigned application defined in MHP. When the application identifier16 is in a range of 0x4000 to 0x7FFF, the application 14 is a signedapplication defined in MHP. When the application identifier 16 is in arange of 0x8000 to 0xFFFF, the application 14 is a tentative unsignedapplication which is a new type of application according to the thisembodiment.

FIG. 4 is a representation of a directory structure of the application14. In the drawing, the application 14 has an application directory 22below a root directory 21. The application directory 22 contains atransmitter information file 23, a hash information file 24 for theapplication directory 22, a tamper check hash value file 25, and a mainclass directory 26.

The main class directory 26 contains a hash information file 27 for themain class directory 26, a permission information file 28, a main classfile 29, and a subclass directory 30. The subclass directory 30 containsa hash information file 31 for the subclass directory 30, and subclassfiles 32 and 33.

FIG. 5 shows a data structure of the transmitter information file 23shown in FIG. 4 in detail. This transmitter information file 23 is anX.509 certificate for attesting to the identity of the transmitter ofthe application 14. In the X.509 certificate, an issuer name 23 a showsa name of the transmitter, and public key information 23 b shows apublic key which is used to decrypt signature data in the tamper checkhash value file 25. X.509 is described in detail in RFC 2459 and thelike, so that its explanation has been omitted here.

FIG. 6 shows a data structure of the hash information file 24 shown inFIG. 4, in detail. The hash information file 24 includes a hash valuecount 24 a showing a number of hash values, and a plurality ofinformation sets corresponding one-to-one with the hash values. Each ofthe information sets is made up of a hash algorithm 24 b; a file count24 c showing a number of files, file names 24 d of the files, and hashvalues 24 e calculated from the files.

FIG. 7 shows a data structure of the tamper check hash value file 25shown in FIG. 4, in detail. The tamper check hash value file 25 includesan X.509 certificate identifier 25 a, a hash algorithm 25 b, andsignature data 25 c. The signature data 25 c is generated by encryptinga hash value calculated from the hash information file 24, using asecret key corresponding to the public key shown in the public keyinformation 23 b in the transmitter information file 23.

FIG. 8 shows an example of the permission information file 28 shown inFIG. 4. The permission information file 28 shows, in XML, permission toaccess resources which are required in execution of the application 14.In more detail, the permission information file 28 shows permission toaccess one or more sources which belong to an additional permissiongroup shown in FIG. 9. The application 14 is permitted to access theresources shown by the permission information file 28, if theapplication 14 is judged as having been transmitted from a trustedtransmitter and having been untampered with, in the digital televisionreception device 2. XML is described in detail in RFC 3023 and the like,and so its explanation has been omitted here.

A hardware construction of the digital television reception device 2 isdescribed below.

FIG. 10 shows the hardware construction of the digital televisionreception device 2. As shown in the drawing, the digital televisionreception device 2 includes a TS decoder 101, an audio decoder 102, avideo decoder 103, a speaker 104, a display 105, an image output unit106, a CPU 107, a network device 108, an input unit 109, a primarystorage unit 110, a secondary storage unit 111, and a ROM 112.

In this digital television reception device 2, the TS decoder 101demultiplexes the MPEG transport stream carrying the transmission data10, and the video decoder 103 and the audio decoder 102 respectivelydecode the video data 11 and the audio data 12 obtained by the TSdecoder 101 and output the decoded video data and audio data to thedisplay 105 and the speaker 104. In this way, the digital televisionreception device 2 plays back the broadcast program.

The image output unit 106 superimposes image data, such as image data ofa setting screen for the digital television reception device 2 or imagedata of a display screen for the application 14, on the decoded videodata output from the video decoder 103.

The input unit 109 receives a user operation made by the viewer via aremote control.

The CPU 107 controls the image output unit 106 to update image dataaccording to a user operation received by the input unit 109. In thisway, the digital television reception device 2 carries out interactiveoperations.

The primary storage unit 110 is a working area that is actually realizedby a RAM. The application 14 separated from the transmission data 10 isstored into the primary storage unit 110.

The secondary storage unit 111 is a nonvolatile memory contained in adevice such as a hard disk or an EEPROM. The secondary storage unit 111stores a list of trusted transmitters.

The ROM 112 stores a program for controlling the digital televisionreception device 2. The functions of the digital television receptiondevice 2 are realized by the CPU 107 executing the program in the ROM112 in conjunction with the hardware resources.

FIG. 11 shows a functional construction of the program stored in the ROM112.

The program stored in the ROM 112 includes a control unit 201, anapplication management unit 202, a Java (registered trademark) classlibrary 203, a Java (registered trademark) VM 204, a device driver 205,and an OS 206.

The control unit 201 controls the digital television reception device 2in accordance with a user operation received by the input unit 109.

The device driver 205 includes drivers for the speaker 104, the display105, the image output unit 106, and the network device 108.

The application management unit 202 and the Java (registered trademark)class library 203 control the execution of the application 14 stored inthe primary storage unit 110.

FIG. 12 shows a functional construction for controlling the execution ofthe application 14, in detail.

The application management unit 202 includes an application informationread unit 211, a life cycle management unit 212, and an applicationauthentication unit 213. The Java (registered trademark) class library203 includes a security management unit 221 and a resource library 222.

The application information read unit 211 reads the managementinformation 15 included in the additional data 13, from the primarystorage unit 110.

The life cycle management unit 212 activates the application 14according to an activation procedure for one of an unsigned application,a signed application, and a tentative unsigned application, based on themanagement information 15.

The application authentication unit 213 includes a transmitteridentification unit 214, an authentication status management unit 215, atamper check unit 216, and a permission read unit 217, and authenticatesthe application 14. The authentication status management unit 215includes an authentication status holding unit 218 and an unsignedapplication permission holding unit 219. The unsigned applicationpermission holding unit 219 holds unsigned application permissioninformation which shows permission to access resources that are grantedto unsigned applications in MHP (hereafter “unsigned applicationpermission”). For example, the unsigned application permissioninformation is realized by writing the unsigned application permissionin XML.

MHP prohibits an unsigned application to access predetermined resources.In more detail, an unsigned application is prohibited to accessresources indicated by the mark “X” in FIG. 9. On the other hand, asigned application is granted unrestricted access to resources specifiedby a permission information file contained in the application.

A tentative unsigned application according to this embodiment isactivated with grant of the unsigned application permission, withoutwaiting for the tamper check of the application to be completed. Thisbeing so, the tentative unsigned application is prohibited fromaccessing the predetermined resources in the same manner as an unsignedapplication, until the tamper check is completed. After the tamper checkis completed and the tentative unsigned application is judged as being avalid application, the tentative unsigned application is grantedunrestricted access to resources specified by a permission informationfile contained in the application, in the same manner as a signedapplication.

In the Java (registered trademark) class library 203, the securitymanagement unit 221 includes a permission setting unit 223 and apermission check unit 224, and controls the range of resources which theapplication 14 is permitted to access.

An operation of the digital television reception device 2 having theabove construction is described below, by referring to FIGS. 13 to 15.Here, automatic execution of the application 14 which occurs as a resultof a channel switch is used as an example operation of the digitaltelevision reception device 2.

FIG. 13 is a flowchart showing a channel selection procedure in thedigital television reception device 2.

Upon receiving a user operation of switching to the channelcorresponding to the transmission data 10 from the input unit 109 (S1),the control unit 201 instructs the TS decoder 101 to switch to thechannel and demultiplex the transport stream carrying the transmissiondata 10. The control unit 201 then instructs the video decoder 103 andthe audio decoder 102 to play back the video data 11 and the audio data12, via the device driver 205 (S2). The control unit 201 furtherinstructs the TS decoder 101 to store the additional data 13 taken fromthe transmission data 10 into the primary storage unit 110, andinstructs the application management unit 202 to control the activationof the application 14 (S3). In response to the instruction to store theadditional data 13, the TS decoder 101 acquires the object carouselcarrying the additional data 13 from the transmission data 10, andsequentially stores the acquired additional data 13 to the primarystorage unit 110. When one cycle of object carousel (e.g. about 20seconds) has elapsed since the receipt of the instruction, the wholeadditional data 13 is acquired in the primary storage unit 110. Thiscompletes the channel selection procedure in the digital televisionreception device 2.

FIG. 14A is a flowchart showing an application activation controlprocedure in the digital television reception device 2.

Upon receiving the instruction to control the activation of theapplication 14 from the control unit 201 in step S3 in FIG. 13, theapplication information read unit 221 in the application management unit202 reads the management information 15 from the additional data 13stored in the primary storage unit 110 (S11). Here, it is unknown fromwhich part of the object carousel the TS decoder 101 starts acquiringthe additional data 13 when the viewer selects the channel correspondingto the transmission data 10. This means there is a possibility that themanagement information 15 may not be present yet in the primary storageunit 110 when the application information read unit 211 attempts to readthe management information 15 (S12: NO). In such a case, the applicationinformation read unit 211 repeats the attempt to read the managementinformation 15 until the TS decoder 101 receives a module containing themanagement information 15. After reading the management information 15(S12: YES), the application information read unit 211 passes the readmanagement information 15 to the life cycle management unit 212.

The life cycle management unit 212 receives the management information15, and judges whether to automatically activate the application 14(S13). In more detail, the life cycle management unit 212 checks theexecution flag 17 in the management information 15. If the executionflag 17 is OFF (S13: NO), the life cycle management unit 212 judges thatthe application 14 is not to be automatically activated, and ends theprocedure. If the execution flag 17 is ON (S13: YES), the life cyclemanagement unit 212 judges that the application 14 is to beautomatically activated. In steps S14 to S16 which follow, the lifecycle management unit 212 judges whether the application 14 is anunsigned application, a signed application, or a tentative unsignedapplication, based on the application identifier 16 in the managementinformation 15.

If the application identifier 16 is in the range of 0x0000 to 0x3FFF(S14: YES), the life cycle management unit 212 judges the application 14as being a conventional unsigned application. In this case, the lifecycle management unit 212 reads the unsigned application permissioninformation from the unsigned application permission holding unit 219,and passes the unsigned application permission information to thepermission setting unit 223 in the security management unit 221 in theJava (registered trademark) class library 203. The permission settingunit 223 sets the unsigned application permission shown by the unsignedapplication permission information, as access permission 225 that isgranted to the application 14 at the time of activation (S17).

If the application identifier 16 is in the range of 0x4000 to 0x7FFF(S15: YES), the life cycle management unit 212 judges the application 14as being a conventional signed application, and instructs theapplication authentication unit 213 to authenticate the application 14.The application authentication unit 213 performs the authentication asfollows. First, the transmitter identification unit 214 performstransmitter identification (S18). In detail, the transmitteridentification unit 214 reads the transmitter information file 23 shownin FIG. 5 from the primary storage unit 110. If the issuer name 23 a inthe transmitter information file 23 is included in the list of trustedtransmitters which is stored in the secondary storage unit 211beforehand, the transmitter identification unit 214 judges thetransmitter of the application 14 as being a trusted transmitter (S18:YES). Here, the public key information 23 b in the transmitterinformation file 23 which is an X.509 certificate can be used to judgewhether the transmitter information file 23 is sent from the transmitteritself.

If the transmitter of the application 14 is judged as being a trustedtransmitter, the application authentication unit 213 waits until thewhole application 14 is stored in the primary storage unit 110. Afterthis, the tamper check unit 216 performs tamper check on the application14 (S19). This tamper check can be conducted in the following manner.For each of the application directory 22, the main class directory 26,and the subclass directory 30, the tamper check unit 216 calculates ahash value from each file contained in the directory, and compares thecalculated hash values with hash values shown in one of the hashinformation files 24, 27 and 31 that belongs to the directory. Further,the tamper check unit 216 calculates a hash value from the hashinformation file 24, decrypts the signature data 25 c in the tampercheck hash value file 25 using the public key shown in the public keyinformation 23 b in the transmitter information file 23 to obtain a hashvalue, and compares the two hash values. If all of the above comparisonsresult in a match, the tamper check unit 216 judges the application 14as having been untampered with. If any of the above comparisons resultsin a mismatch, on the other hand, the tamper check unit 216 judges theapplication 14 as having been tampered with. If the application 14 isjudged as having been untampered with (S19: YES), the tamper check unit216 notifies the authentication success to the permission read unit 217.The permission read unit 217 responsively reads the permissioninformation file 28 from the primary storage unit 110 (S20). Here, ifthe permission read unit 217 cannot read the permission information file28 because the permission information file 28 is not contained in theapplication 14 in the first place, the permission read unit 217 insteadreads the unsigned application permission information from the unsignedapplication permission holding unit 219.

The permission read unit 217 passes the read permission information file28 to the permission setting unit 223 in the security management unit221 via the life cycle management unit 212. The permission setting unit223 sets the signed application permission shown by the permissioninformation file 28, as the access permission 225 (S21).

Meanwhile, if the transmitter is judged as not being a trustedtransmitter (S18: NO) or if the application 14 is judged as having beentampered with (S19: NO), the application authentication unit 213notifies the authentication failure to the life cycle management unit212. The life cycle management unit 212 accordingly ends the procedurewithout activating the application 14.

If the application identifier 16 is in the range of 0x8000 to 0XFFFF(S16: YES), the life cycle management unit 212 judges the application 14as being a tentative unsigned application which is the new type ofapplication according to this embodiment, and instructs the applicationauthentication unit 213 to authenticate the application 14. Theapplication authentication unit 213 waits until the TS decoder 101receives the transmitter information file 23 and stores it into theprimary storage unit 110. Once the transmitter information file 23 hasbeen stored into the primary storage unit 110, the transmitteridentification unit 214 performs the same transmitter identification asin step S18 (S25). If the transmitter of the application 14 is judged asbeing a trusted transmitter (S25: YES), the application authenticationunit 213 instructs the tamper check unit 216 and the permission readunit 217 to create a tamper check thread (S22), and also notifies thelife cycle management unit 212 that the transmitter of the application14 is a trusted transmitter. Upon being notified, the life cyclemanagement unit 212 reads the unsigned application permissioninformation from the unsigned application permission holding unit 219,and passes the unsigned application permission information to thepermission setting unit 223 in the security management unit 221. Thepermission setting unit 223 sets the unsigned application permissionshown by the unsigned application permission information, as the accesspermission 225 (S23). If the transmitter of the application 14 is judgedas not being a trusted transmitter (S25: NO), meanwhile, the applicationauthentication unit 213 notifies the life cycle management unit 212 thatthe transmitter of the application 14 is not a trusted transmitter. Thelife cycle management unit 212 accordingly ends the procedure withoutactivating the application 14.

After the access permission 225 is set in any of steps S17, S21, andS23, the life cycle management unit 212 activates the application 14using the Java (registered trademark) class library 203 (S24). Thiscompletes the application activation control procedure.

With the above procedure, the activation of the application 14 can beaccelerated. Suppose the application 14 has a large data size andtherefore it takes a long time to acquire one cycle of object carouselcontaining the application 14 and calculate hash values from theapplication 14. According to the procedure for a conventional signedapplication, the application 14 cannot be activated until one cycle ofobject carousel is acquired and the application 14 is authenticated.According to the procedure for a tentative unsigned application, on theother hand, the application 14 can be activated when part of the objectcarousel is acquired.

The tamper check thread created by the tamper check unit 216 and thepermission read unit 217 in step S22 has the following procedure. Notethat this tamper check thread is processed in parallel with theexecution of the application 14 which is a tentative unsignedapplication activated in step S24.

FIG. 14B is a flowchart showing the procedure of the tamper checkthread.

After the TS decoder 101 acquires the whole additional data 13 andstores the whole application 14 into the primary storage unit 110, thetamper check unit 216 performs tamper check on the application 14 (S31).If the application 14 is judged as having been untampered with as aresult of the tamper check (S32: YES), the tamper check unit 216notifies this to the permission read unit 217. The permission read unit217 responsively reads the permission information file 28 from theprimary storage unit 110, and passes the permission information file 28to the authentication status management unit 215. The authenticationstatus management unit 215 registers the permission information file 28in the authentication status holding unit 218 (S33), before ending theprocedure. If the application 14 is judged as having been tampered with(S32: NO), on the other hand, the tamper check unit 216 notifies theauthentication status management unit 215 of the authentication failure.The authentication status management unit 215 registers informationindicating the authentication failure in the authentication statusholding unit 218 (S34), before ending the procedure. This completes thetamper check thread.

MHP stipulates that, when a tamper check on a signed application resultsin a failure, a file size of that singed application is assumed to bezero. As a result, the signed application is treated as not having anycontent, though the signed application itself exists. This being so,step S34 performed by the authentication status management unit 215 whennotified of the application failure by the tamper check unit 216 may bemodified as follows, to make the present invention compliant with MHP.In step S34, the authentication status management unit 215 registersinformation indicating the authentication failure in the authenticationstatus holding unit 218. In addition, the authentication statusmanagement unit 215 changes, in a file system for managing the primarystorage unit 110, a file size of each file of the application 14 or afile size of each file in the application 14 for which a calculated hashvalue and a corresponding hash value in a hash information file resultsin a mismatch, to zero.

In parallel with this tamper check thread shown in FIG. 14B, theapplication 14 which is a tentative unsigned application activated instep S24 in FIG. 14A is executed. In the execution of the application14, the Java (registered trademark) class library 203 judges whether theapplication 14 is permitted to access a resource requested by theapplication 14. In the case of a conventional unsigned application orsigned application, this judgment is made based on the access permission225 set in step S17 or S21. In the case of a tentative unsignedapplication according to this embodiment, the judgment is made based onthe access permission 225 set in step S23 until the tamper check iscompleted. After the tamper check is completed and the application isjudged as having been untampered with, the judgment is made based onboth the access permission 225 set in step S23 and the permissioninformation file 28 registered in the authentication status holding unit218 in step S33.

The following explains how the Java (registered trademark) class library203 controls access to a resource by the application 14 which is atentative unsigned application.

FIG. 15 is a flowchart showing a procedure of controlling access to aresource by the application 14.

When the application 14 needs to access a resource, such as connectingto the network or reading a file from the secondary storage unit 111,the application 14 calls the resource library 222 in the Java(registered trademark) class library 203 (S41).

Upon receipt of the call, the resource library 222 inquires of thesecurity management unit 221 whether the application 14 is permitted toaccess the resource.

The security management unit 221 refers to the access permission 225 viathe permission check unit 224, to judge whether the access permission225 includes the right to access the resource (S42). Here, the unsignedapplication permission is set as the access permission 225 in step S23in FIG. 14A. This being so, if the unsigned application permissionincludes the access right to the resource (S42: YES), the securitymanagement unit 221 notifies the resource library 222 that theapplication 14 is permitted to access the resource. The resource library222 accordingly authorizes the application 14 to access the resource andsends a request to the resource (S43), before ending the procedure. Inthis way, the application 14 accesses the resource.

If the unsigned application permission set as the access permission 225does not include the access right to the resource (S42: NO), thesecurity management unit 221 inquires of the authentication statusmanagement unit 215 about the authentication status.

If the tamper check by the tamper check thread is not completed (S44:NO), the authentication status management unit 215 waits for thecompletion of the tamper check. Once the tamper check has been completed(S44: YES), the authentication status management unit 215 reads thepermission information file 28 from the authentication status holdingunit 218, and passes the permission information file 28 to the securitymanagement unit 221 (S45).

The security management unit 221 receives the permission informationfile 28 from the authentication status management unit 215, and judgeswhether the permission information file 28 includes the access right tothe resource (S46). The security management unit 221 notifies thejudgment result to the resource library 222.

If the permission information file 28 includes the access right to theresource (S46: YES), the resource library 222 authorizes the application14 to access the resource, and sends a request to the resource (S43). Inthis way, the application 14 accesses the resource. If the permissioninformation file 28 does not include the access right to the resource(S46: NO), the resource library 222 sends error information indicatingprohibition to access the resource to the application 14 (S47), beforeending the procedure. In this case, no further execution of theapplication 14 is possible and so the application 14 is terminated. Thiscompletes the procedure of controlling resource access by theapplication 14 which is a tentative unsigned application.

According to the above procedure, the application 14 which is atentative unsigned application is activated with grant of the unsignedapplication permission before the completion of the tamper check, andinstructions in the application 14 are sequentially executed beginningwith a top instruction. After the tamper check is completed and theapplication 14 is judged as having been untampered with, the application14 is further granted the signed application permission specified by thepermission information file 28 generated by the transmitter of theapplication 14. Subsequently, even when the execution reaches aninstruction to access a resource which is not included in the unsignedapplication permission, the instruction can be executed if the signedapplication permission specified by the permission information file 28includes the access right to the resource.

Accordingly, the application 14 can be activated promptly with grant ofthe unsigned application permission, without waiting for the tampercheck to be completed. Since the application 14 is prohibited fromaccess to resources not included in the unsigned application permissionuntil the completion of the tamper check, high security is maintained.After the tamper check is completed and the application 14 is judged ashaving been untampered with, the application 14 is further grantedaccess to resources not included in the unsigned application permission.This makes it possible to realize high-function applications.

Suppose an instruction to render an image on the display 105 precedes aninstruction which cannot be executed with the unsigned applicationpermission in the application 14, and the unsigned applicationpermission includes the right to display graphics. According to theabove procedure, the image can be promptly displayed on the display 105regardless of the total data size of the application 14, with it beingpossible to shorten a wait time of the viewer and improveoperationality.

In the case of a conventional signed application, the tamper check forevery file in the application 14 needs to be completed prior toactivation, even when the application 14 only performs graphics display.If the total data size of such an application 14 is large, it takes along time to acquire the application 14 from the transport stream andperform the tamper check on the application 14. This causes a delay inactivation of the application 14 and therefore in generation of thegraphics display. In the case of a tentative unsigned applicationaccording to this embodiment, on the other hand, the application 14 isactivated with grant of the unsigned application permission prior to thecompletion of the tamper check. Accordingly, the graphics display can begenerated promptly within the range of the unsigned applicationpermission.

Note here that even when the application 14 is a tentative unsignedapplication, it is necessary, prior to activation, to judge the type ofthe application 14 using the application identifier 16 in the managementinformation 15 and identify the transmitter of the application 14 usingthe transmitter information file 23. To do so, at least the managementinformation 15, the transmitter information file 23, and the main classfile 29 containing the top instruction of the application 14 need to beacquired prior to activation.

In view of this, an object carousel such as the one shown in FIG. 16 maybe used to transmit the additional data 13. In the drawing, theapplication 14 is divided into four modules A1 to A4, and the managementinformation 15 is contained in module M1. In this object carousel,module A1 carrying the transmitter information file 23 and the mainclass file 29 and module M1 carrying the management information 15 aretransmitted more frequently than the other modules. This increases thepossibility of reducing the time required to acquire the main class file29, the transmitter information file 23, and the management information15, regardless of at which part of the object carousel the TS decoder101 starts acquiring the additional data 13. Hence the activation of theapplication 14 can be further accelerated.

Second Embodiment

The first embodiment describes an example of acquiring an applicationfrom a transport stream, but an application recorded on a removablerecording medium can also be stored into the primary storage unit 110and executed. When compared with an application transmitted in atransport stream from a broadcast station, however, an applicationrecorded on a removable recording medium can be more easily analyzedusing a personal computer and the like, and therefore is more likely tohave been tampered with.

In view of this, the second embodiment of the present inventiondescribes a digital television reception device which varies accesspermission tentatively granted to an application at the time ofactivation before completion of tamper check, depending on anacquisition path of the application.

FIG. 17 shows a hardware construction of a digital television receptiondevice 3 to which the second embodiment relates. Components which arethe same as those in the first embodiment have been given the samereference numerals and their explanation has been omitted.

The digital television reception device 3 differs from the digitaltelevision reception device 2 of the first embodiment, in that asecondary storage unit 113 is further included.

The secondary storage unit 113 is a removable nonvolatile memory such asan SD card or an optical disc. Different applications are stored in thesecondary storage unit 111 and the secondary storage unit 113.

FIG. 18 shows a functional construction for controlling the execution ofthe application 14 in the digital television reception device 3. Thisconstruction differs from that of the first embodiment shown in FIG. 12,in that the life cycle management unit 212 includes an acquisition pathholding unit 231, and the authentication status management unit 215includes a first tentative permission holding unit 232, a secondtentative permission holding unit 233, and a third tentative permissionholding unit 234 in place of the unsigned application permission holdingunit 219.

The acquisition path holding unit 231 is a functional block for holdingacquisition path information showing the acquisition path through whichthe application 14 stored in the primary storage unit 110 has beenacquired. This acquisition path information is acquired by theapplication information read unit 211 and set in the acquisition pathholding unit 231, when the application 14 is stored into the primarystorage unit 110. There are mainly four acquisition paths: anapplication separated from a transport stream; an application read fromthe secondary storage unit 111; an application read from the secondarystorage unit 113; and an application downloaded from the Internet. Inthis embodiment, the risk of tampering for these acquisition paths isassumed to increase in the order of the transport stream, the secondarystorage unit 111, the secondary storage unit 113, and the Internet.

The first tentative permission holding unit 232, the second tentativepermission holding unit 233, and the third tentative permission holdingunit 234 hold first tentative permission information, second tentativepermission information, and third tentative permission information,respectively. The first tentative permission information, the secondtentative permission information, and the third tentative permissioninformation each show permission to access resources. The number ofaccessible resources decreases in the order of the first tentativepermission information, the second tentative permission information, andthe third tentative permission information. In more detail, the firsttentative permission information shows first tentative permission whichincludes the display control right, the right to control a transportstream and select a channel, and the right to access the secondarystorage units 111 and 113. The second tentative permission informationshows second tentative permission which includes the display controlright and the right to access the secondary storage units 111 and 113.The third tentative permission information shows third tentativepermission which includes the display control right and the right toaccess the secondary storage unit 113 that is a removable nonvolatilememory. Like the unsigned application permission information in thefirst embodiment, the first tentative permission information, the secondtentative permission information, and the third tentative permissioninformation are each realized by writing the corresponding permission inXML.

The digital television reception device 3 having the above constructionsets the access permission 225 which is granted to the application 14 atthe time of activation, in the following manner. Here, the digitaltelevision reception device 3 grants access to more resources to theapplication 14 when the acquisition path of the application 14 has alower risk of tampering.

FIG. 19 is a flowchart showing a procedure of setting the accesspermission 225 at the time of activation in the digital televisionreception device 3.

The life cycle management unit 212 reads the acquisition pathinformation from the acquisition path holding unit 231 (S61). The lifecycle management unit 212 judges through which acquisition path theapplication 14 has been acquired, based on the read acquisition pathinformation (S62, S64, and S65).

If the application 14 has been acquired from a transport stream (S62:YES), the life cycle management unit 212 reads the first tentativepermission information from the first tentative permission holding unit232, and instructs the security management unit 221 to set the firsttentative permission shown by the first tentative permission informationas the access permission 225 (S63).

If the application 14 has been read from the secondary storage unit 111(S64: YES and S65: NO), the life cycle management unit 212 reads thesecond tentative permission information from the second tentativepermission holding unit 233, and instructs the security management unit221 to set the second tentative permission shown by the second tentativepermission information as the access permission 225 (S66).

If the application 14 has been read from the secondary storage unit 113(S64: YES and S65: YES) or downloaded from the Internet (S64: NO), thelife cycle management unit 212 reads the third tentative permissioninformation from the third tentative permission holding unit 234, andinstructs the security management unit 221 to set the third tentativepermission shown by the third tentative permission information as theaccess permission 225 (S67).

According to this procedure, the access permission 225 tentativelygranted to the application 14 at the time of activation is varieddepending on the acquisition path of the application 14. If theacquisition path of the application 14 has a lower risk of tampering,the application 14 is tentatively granted access to more resources.Since more instructions in the application 14 can be carried out withgrant of access to more resources, the possibility of having to wait forthe completion of the tamper check due to the occurrence of a resourcecall not permitted within the tentative permission decreases.

This embodiment describes the case where the risk of tampering for theacquisition paths increases in the order of a transport stream, thesecondary storage unit 111, the secondary storage unit 113, and theInternet. In the case of the Internet, however, the risk of tamperingfurther differs between when downloading data, which is transmitted byTCP/IP, in encrypted form using SSL or the like and when downloadingdata in unencrypted form without using SSL or the like. Which is to say,the risk of tampering is higher when downloading the application 14without using SSL. Hence the present invention can also be applied to anapplication execution device which downloads an application from theInternet and executes it, by varying the access permission tentativelygranted to the application depending on the use of SSL. In detail, ifthe application 14 is downloaded from the Internet using SSL, theapplication 14 is tentatively granted access to more resources than whenthe application 14 is downloaded without using SSL.

The second embodiment describes the case where the access permissiontentatively granted to the application 14 is varied depending on therisk of tampering of the acquisition path of the application 14. As analternative, the access permission tentatively granted to theapplication 14 may be varied depending on the time period required forapplication acquisition through the acquisition path. This time periodrequired for application acquisition can be determined based on factorssuch as a data transfer rate of a transport stream or a data access timeof a secondary storage unit. This being so, when the acquisition path ofthe application 14 requires a longer time period for applicationacquisition, access to more resources may be tentatively granted to theapplication 14. In so doing, when it takes a longer time to acquire theapplication 14 and therefore to perform tamper check, the application 14is tentatively granted access to more resources, so that moreinstructions in the application 14 can be carried out. This allows theviewer to use the application 14 without noticing that the tamper checkhas not been completed.

Also, it takes considerably less time to read an application from asecondary storage unit than to acquire an application from a transportstream. In view of this, a procedure shown in FIG. 20 may be employed.

In FIG. 20, if the acquisition path of the application 14 is a transportstream (S51: YES), the tamper check thread is created without waitingfor the whole application 14 to be stored into the primary storage unit110 (S52). The application 14 is then granted the third tentativepermission (S53) and activated (S57). If the acquisition path of theapplication 14 is not a transport stream (S51: NO), steps S54 to S57 areperformed after the whole application 14 is stored into the primarystorage unit 110, in the same way as a conventional signed application.In so doing, the activation of the application 14 is speeded up only ifthe acquisition of the application 14 takes a long time. Otherwise, theapplication 14 is executed securely according to the procedure for aconventional signed application.

(Modifications)

The present invention has been described by way of the aboveembodiments, though it should be obvious that the present invention isnot limited to the above. Example modifications are given below.

(1) The present invention also applies to an application executionmethod shown by the flowcharts in the above embodiments. This method maybe realized by a computer-readable program that can be executed by acomputer. Such a computer program may be distributed as a digitalsignal.

The present invention may be realized by a computer-readable recordingmedium, such as a flexible disk, a hard disk, a CD-ROM, an MO, a DVD, aDVD-ROM, a DVD-RAM, a BD (Blu-ray Disc), or a semiconductor memory, onwhich a computer-readable program and/or digital signal mentioned aboveis recorded.

Conversely, the present invention may also be realized by acomputer-readable program and/or digital signal that is recorded on sucha recording medium.

A computer-readable program or digital signal that achieves the presentinvention may also be transmitted via a network, such as an electroniccommunications network, a wired or wireless communications network, orthe Internet.

Also, the computer program and/or digital signal may be provided to anindependent computer system by distributing a recording medium on whichthe computer-readable program and/or digital signal is recorded, or bytransmitting the computer-readable program and/or digital signal via anetwork. The independent computer system may then execute thecomputer-readable program and/or digital signal to function as thepresent invention.

(2) The present invention may also be realized by an LSI circuit whichcontrols the application execution device. Such an LSI circuit can beimplemented by integrating the functional blocks shown in FIG. 12 or 18.These functional blocks may be individually constructed in chips, orpartly or wholly constructed in one chip.

The LSI circuit mentioned here may be an IC, a system LSI circuit, asuper LSI circuit, or an ultra LSI circuit depending on the degree ofintegration.

Alternatively, a dedicated circuit or a general-purpose processor may beused for circuit integration instead of LSI. An FPGA (Field ProgrammableGate Array) which is an LSI chip programmable after manufacture and areconfigurable processor capable of reconfiguring connections andsettings of circuit cells within an LSI chip are applicable too.

If a new IC technique that can replace the conventional LSI is developedas a result of the advance of semiconductor and other technologies inthe future, the functional blocks and components described in the aboveembodiments may be integrated using this technique. For example,biotechnology may be adopted for such a technique.

(3) The first embodiment describes the case where an application isactivated with grant of unsigned application permission prior tocompletion of tamper check. However, the present invention is notlimited to such, so long as the application is tentatively granted suchaccess permission that will not adversely affect the device. Forinstance, the application may be granted the unsigned applicationpermission except access rights that are judged as having a risk ofadversely affecting the device. Alternatively, the application may begranted all access rights included in the unsigned applicationpermission and further the access right to files in the secondarystorage unit 111 which have been confirmed as being accessible without aloss of security.

(4) The first embodiment describes the case where a transport stream istransmitted from one broadcast device and received by one digitaltelevision reception device. The present invention, however, is notlimited to such a numerical relationship between broadcast devices anddigital television reception devices, as the system may include aplurality of broadcast devices for transmitting transport streams and aplurality of digital television reception devices for receivingtransport streams.

(5) The present invention is not limited to specific physicalcharacteristics of a transmission path of an application, and isapplicable to applications transmitted via various transmission pathssuch as a terrestrial wave, a satellite, and a cable television.

(6) The first and second embodiments describe a digital televisionreception device as an example of the application execution device ofthe present invention, but the present invention is equally applicableto other environments, such as a mobile telephone, for executingapplications.

(7) The limitations described in the first and second embodiments andthe modifications may be freely combined.

INDUSTRIAL APPLICABILITY

The application execution device of the present invention has an effectof speeding up activation of an application, and can be effectivelyused, for example, for a digital television reception device whichacquires an application transmitted using an object carousel andexecutes the acquired application.

1. An application execution device comprising: an acquisition unitoperable to acquire an application program which includes instructionsto access resources and which is used in a Multimedia Home Platform; ajudgment unit operable to judge whether the application program has beentampered with; a tentative permission setting unit operable to obtaintentative permission information showing permission to access only afirst resource; a definite permission setting unit operable to obtaindefinite permission information showing permission to access the firstresource and a second resource; and an execution unit operable toexecute the application program, wherein, when the application programis a signed application program that requires authentication in order tobe executed and before the judgment unit completes the judging whetherthe signed application program has been tampered with, the executionunit executes the signed application program within a range of thepermission shown by the tentative permission information, and when afterthe judgment unit completes the judging whether the signed applicationprogram has been tampered with and the signed application program isjudged as not having been tampered with, the execution unit executes thesigned application program within a range of the permission shown by thedefinite permission information.
 2. The application execution device ofclaim 1, wherein the execution unit assumes a file size of theapplication program to be zero, if the application program is judged ashaving been tampered with.
 3. The application execution device of claim1, wherein the execution unit staffs executing the application programbefore the acquisition unit completes the acquisition of the applicationprogram.
 4. The application execution device of claim 3, wherein theacquisition unit acquires the application program by receiving a digitalstream carrying the application program.
 5. The application executiondevice of claim 4, wherein the digital stream is a transport stream ofdigital television broadcasting, and the application program ismultiplexed in the transport stream using an object carousel.
 6. Theapplication execution device of claim 5 further comprising: atransmitter identification unit operable to identify a transmitter ofthe application program based on transmitter information for identifyingthe transmitter, wherein the object carousel contains the transmitterinformation in addition to the application program, the acquisition unitfurther acquires the transmitter information, and the execution unitstaffs executing the application program after the transmitteridentification unit completes the identification of the transmitter. 7.The application execution device of claim 1, wherein the acquisitionunit further acquires an application identifier showing a type of theapplication program, and the execution unit starts executing theapplication program before the judgment unit completes the judgment, ifthe type shown by the acquired application identifier matches apredetermined type.
 8. The application execution device of claim 7,wherein the predetermined type is a type of application program that ispermitted to access only the first resource until the judgment unitcompletes the judging.
 9. The application execution device of claim 1,wherein when the execution unit, while executing the applicationprogram, reaches an instruction to access the second resource but thejudgment unit has not completed the judging, the execution unit waitsuntil the judgment unit completes the judging.
 10. The applicationexecution device of claim 1, wherein the application program includeshash information showing a hash value of the application program, andthe judgment unit judges whether the application program has beentampered with by calculating a hash value of the application program andcomparing the calculated hash value with the hash value shown by thehash information.
 11. The application execution device of claim 1,wherein the acquisition unit acquires the application program throughone of a plurality of acquisition paths, the plurality of acquisitionpaths each having a different level of risk of tampering, the tentativepermission setting unit obtains tentative permission informationcorresponding to the acquisition path of the application program, andwhen the acquisition path of the application program has a lower levelof risk of tampering, the tentative permission information correspondingto the acquisition path shows the permission to access the firstresource, the permission including access to a resource having a higherrisk of adversely affecting the application execution device.
 12. Theapplication execution device of claim 11, wherein when the applicationprogram is in an encrypted form, the acquisition path of the applicationprogram has the lower level of risk of tampering, and when theapplication program is in an unencrypted form, the acquisition path ofthe application program has a higher level of risk of tampering.
 13. Theapplication execution device of claim 1, wherein the acquisition unitacquires the application program through one of a plurality ofacquisition paths, the plurality of acquisition paths each having adifferent time period required for acquiring an application program, thetentative permission setting unit obtains tentative permissioninformation corresponding to the acquisition path of the applicationprogram, and when the acquisition path of the application program has alonger time period required, the tentative permission informationcorresponding to the acquisition path shows the permission to access thefirst resource, the permission including access to a resource having ahigher risk of adversely affecting the application execution device. 14.An integrated circuit for controlling an application execution device,the integrated circuit comprising: an acquisition unit operable toacquire an application program which includes instructions to accessresources and which is used in an Multimedia Home Platform; a judgmentunit operable to judge whether the application program has been tamperedwith; a tentative permission setting unit operable to obtain tentativepermission information showing permission to access only a firstresource; a definite permission setting unit operable to obtain definitepermission information showing permission to access the first resourceand a second resource; and an execution unit operable to execute theapplication program, wherein, when the application program is a signedapplication program that requires authentication in order to be executedand before the judgment unit completes the judging whether the signedapplication program has been tampered with, the execution unit executesthe signed application program within a range of the permission shown bythe tentative permission information, and, when after the judgment unitcompletes the judging whether the signed application program has beentampered with and the signed application program is judged as not havingbeen tampered with, the execution unit executes the signed applicationprogram within a range of the permission shown by the definitepermission information.
 15. An application execution method used by anapplication execution device, the method comprising: an acquisition stepof acquiring, using an acquisition unit, an application program whichincludes instructions to access resources and which is used in aMultimedia Home Platform; a judgment step of judging, using a judgmentunit, whether the application program has been tampered with; atentative permission setting step of obtaining, using a tentativepermission setting unit, tentative permission information showingpermission to access only a first resource; a definite permissionsetting step of obtaining, using a definite permission setting unit,definite permission information showing permission to access the firstresource and a second resource; and an execution step of executing usingan execution unit, the application program, wherein, when theapplication program is a signed application program that requiresauthentication in order to be executed and before the judgment stepcompletes the judging whether the signed application program has beentampered with, the execution step executes the signed applicationprogram within a range of the permission shown by the tentativepermission information, and, when after the judgment step completes thejudging of whether the signed application program has been tampered withand the signed application program is judged as not having been tamperedwith, the execution step executes the signed application program withina range of the permission shown by the definite permission information.16. A computer-readable recording medium having recorded thereon acomputer-readable program that when executed causes a computer toperform an application execution method comprising: an acquisition stepof acquiring an application program which includes instructions toaccess resources and which is used in a Multimedia Home Platform; ajudgment step of judging whether the application program has beentampered with; a tentative permission setting step of obtainingtentative permission information showing permission to access only afirst resource; a definite permission setting step of obtaining definitepermission information showing permission to access the first resourceand a second resource; and an execution step of executing theapplication program, wherein, when the application program is a signedapplication program that requires authentication in order to be executedand before the judgment step completes the judging whether the signedapplication program has been tampered with, the execution step executesthe signed application program within a range of the permission shown bythe tentative permission information, and, when after the judgment stepcompletes the judging and the signed application program is judged asnot having been tampered with, the execution step executes the signedapplication program within a range of the permission shown by thedefinite permission information.